Identosphere #29 • IIW32 – Don't Use DIDs (Oh no he DIDn't) – Principles of User Sovereignty – Guardianship Showcase
A preview of our upcoming IIW32 Digest, plus all the stories and upcoming events in the decentralized identity ecosystem that you've come to expect!
Welcome & Thanks to our Patrons
IIW32 just wrapped up, and we don’t have tons in the feed for it, yet. However, we will produce an IIW Digest for Patrons only, sometime later this week. There’s no way we could fit it all and the regular stories in the free newsletter.
In appreciation of your support, you will get access to all of our Patron only content. Currently including the first Identosphere Quarterly Edition, and the upcoming IIW digest that will provide a high-level view of the workshop and additional material we harvest from our feeds and the event itself.
OpenID Foundation Virtual Workshop • April 29
Redefining the Student Journey and Beyond Through Verifiable Credentials Condatis • May 11
Identiverse 2021 • June 21-23 (Denver)
We're building a trust layer into the internet. That's an ambitious goal with plenty of unsolved problems left to tackle. We need brilliant, passionate people to help us achieve this.
I welcome Kaliya Young (often referred to as IdentityWoman) for a sneak peek at what to expect from IIW32: the 32nd iteration of the Internet Identity Workshop, which will be hosted virtually. For over 15 years, IIW has been the premier place to bring together the largest concentration of talents dedicated to designing and building identity systems that empower individuals.
Introducing: WACI (Wallet And Credential Interaction) by Jace Hensley
We reviewed the spec above,
Orie linked this related github issue and discussion:
Also related: https://w3c-ccg.github.io/vp-request-spec/#format
The Principles of User Sovereignty and A Unified Theory of Decentralization by David Huseby
Before setting out on solving the authentic data solution for global scale I wanted to best understand the problem of decentralization and then declare the principles that I bound myself while solving it. There was very little discussion other than some clarifications on what I mean by "absolute" privacy by default and how that may make users reluctant to use any software like that.
Don’t use DIDs, DIDs, nor DIDs: Change My Mind (a.k.a. Oh no he DIDn’t) by Dave Huseby (article)
Joe came and fervently disagreed with my assertions. Lots of people had reasonable counter arguments. My main arguments are 1. DID Documents don't have history when old keys are always relevant and 2. having 94 different DID methods that aren't compatible nor replaceable and don't function the same way is a HUGE problem.
Guardianship Showcase - The Sovrin Working Group Tech Requirements and Implementation Guidelines by John Phillips, Jo Spenser (Presentation)
Sovrin is looking to promote the governance process and where guardianship fits in. The IdRamp wallet is an example of how the wallet could provide helpful features.
This challenge is seeking a portable secure digital credentials (self-sovereign identity) solution held by individuals that can be independently, cryptographically and rapidly verified using emerging distributed ledger standards and an approach that may give rise to a global digital verification platform.
Initiatives like the investment in the Known Traveller Digital Identity pilot project and the Canada Digital Adoption Program will help Canadians, businesses and governments on this path.
we can get the good parts of paper credentials—private transactions between holders and verifiers and no callback to the issuer. Second, the issuer gets a trusted, open and transparent way to publish the cryptographic material needed for those private holder-verifier transactions. Third, there is no need to have a “Trusted Third Party” participating in the interactions.
And did I mention, no private data goes on the DLT!!!
Q1 2021 in review: The LEI in Numbers: Data from the latest Global LEI System Business Report reveals LEI adoption from January to March 2021.
Once an ecosystem is configured, providers need to onboard participants like issuers and verifiers. Trinsic Ecosystems comes with an API that’s extremely easy for any issuer or verifier to integrate and can be white-labeled with the name of the provider. In addition to the API, ecosystem participants can use the Trinsic Studio, a white-labeled web dashboard.
Research from the American Association of Collegiate Registrars and Admissions Officers has revealed that 89% of US and Canadian institutions report using at least one type of digital credential – including digitally signed PDFs – with one third planning to devote more resources to the digitisation of credentials.
VC-Generator allows you to choose a credential type that needs to be issued or verified from a drop-down list and displays the associated VC schema.
In the first part of this series, we introduced the idea that traditional PKI-based digital identity solutions can potentially benefit from blockchain technology.
For this next part of the series, we’ll touch on the relatively new idea of self-sovereign identity, or SSI.
Self-Sovereign Identity: More Use Cases: Heather Dahl and Ken Ebert of Indicio Discuss Decentralized ID Management
with Information Security Media Group, Dahl and Ebert discuss:
The evolution of Indicio.tech from the Sovrin Foundation;
Key initiatives in implementing and testing decentralized identity;
How a decentralized workforce is accelerating the need for identity management.
With DID already being implemented, this new and exciting technology is due to shake up the digital identity space. We expect decentralized identity to continue making headway, with more and more sectors and businesses adopting the technology.
What makes My.D unique is it holds the capability to act as a digital wallet, manage multiple identities, and share credentials. A tool designed and scaled for user transparency and authentication. Furthermore, it can be tailored according to the business needs, and individual customer needs too. It is designed on open standards, which affirms its interoperability. Anyone can access it from anywhere and is not dependent on the existing single authority. It could be verified across multiple channels.
We should digitize nothing more and nothing less than the fact that someone received their vaccine. A verifiable credential carrying this information would include the place, date and time, the type of vaccine, and the medico who administered or witnessed the shot. The underlying technology should be robust, mature and proven at scale ― as is PKI and public key certificates
If the global pandemic has shown us anything, it’s that the need for reliable and secure data is paramount as businesses, governments, and Canadians from Vancouver to Quebec City to Charlottetown and everywhere in between move online.
Since most of the educational institutes were facing security crises, new challenges are added to the security system to identify and manage the users’ access to these platforms.The most relevant challenges include but not limited to, legacy identity infrastructure, student lifecycle and users access complexity and new cyber threats.
self-sovereign identity verification, one of the game-changing background screening trends of 2021. When combined with screening activities, self-sovereign identity solutions offer opportunities to obtain more accurate candidate background data and deliver it to employers faster.
AI Regulation Proposed by EU Commission – Fine Line between Prohibition and Empowerment – Limited Success
The proposed regulation will follow a risk-based approach, as we surmised in a previous blog post.
AI applications will be categorized as creating unacceptable risk, high risk, low risk, and minimal risk. An AI system that causes unacceptable risk by violating the fundamental rights of EU citizens will be prohibited. These prohibitions are called out specifically, including:
Manipulation with the intent to affect human behavior that would result in physical or psychological harm, including subliminal techniques
Exploitation of vulnerable people groups
Social scoring systems by public authorities
Remote ‘real-time’ biometric identification systems in public spaces for law enforcement
from the plethora of federal privacy bills put forward, there are three standouts: […]
Consumer Online Privacy Rights Act (COPRA) (Democrats) – Sponsored in November 2019 by Democratic Senator Maria Cantwell of Washington, this bill is considered by some to be “GDPR-esque” and more consumer than business friendly. […]
Setting an American Framework to Ensure Data Access, Transparency and Accountable Ability Act (SAFE DATA Act) (GOP) – Combining three previous bills, the SAFE DATA Act is considered by some as more “business friendly”. […]
Information Transparency and Personal Data Control Act – Re-introduced by Congresswoman Suzan DelBene (WA-01) for the fourth time (the latest on March 10, 2021), this bill “… protects personal information including data relating to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, Social Security Numbers, and religious beliefs. It also keeps information about children under 13 years of age safe. ”Beyond this it requires businesses to write their privacy policies in simple language.“
The report focuses on the approaches towards eID outlined in national strategy documents, together with other supporting documentation and web resources, with the aim of offering a thorough understanding of the eID state of play across Europe.
Identity Not SSI
this specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and does so without introducing breaking changes.
The WebAuthn Working Group publishes Level 2 Recommendation of WebAuthn: An API for accessing Public Key Credentials
defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application.
Decentralized - Not ID
To reiterate… we won’t be shilling, promoting or otherwise marketing our token, and if you ever see anyone using our name or logo to do so, be aware of them as scammers and report them.
How can we distribute equity among participants of the community rather than sucking it up into a centralized megacorporation or institutional investors? That question has been giving me energy. And there are more and more people thinking along similar lines.